What we do

GDPR

GDPR – how does it affect your own marketing

GDPR is coming! You’ve heard about it. You’ve heard it is going to affect your business. You’ve heard that it is confusing. So much so, that many different companies are interpreting it in different ways. You can find a copy of the regulations here.
Whilst we recommend you do your own research, the following is our interpretation of how GDRP will affect your marketing.

WHAT DOES GDPR STAND FOR?
General Data Protection Regulations

WHEN DOES IT COME INTO FORCE?
May 25, 2018

WHAT IS IT ULTIMATELY FOR?
To help reduce the amount of unsolicited mail & email correspondence EU individuals receive.

WHAT SORT OF COMPANIES NEED TO KNOW ABOUT THIS?All companies, regardless of whether they are in the EU or not, assuming they handle personal data of EU individuals.

WHAT DO COMPANIES HAVE TO DO?
Ensure that the personal information (data) they get regarding their clients, suppliers, staff, etc is handled in a more professional way.

WHAT DO YOU MEAN BY ‘PERSONAL DATA’?This law applies to data which can be traced back to the individual. A name, a telephone number, a photograph, a description.
Companies collect personal data in many ways, whether this is through sign up forms on their website, adding contact names onto a CRM database, keeping staff CVs in a file in a locked cupboard. Even if you have Google Analytics on your website, this will track visitor data. That even includes things like their computer’s IP address.

WHAT DO YOU MEAN?
Well, you need to ensure that you only send mail / email to companies/individuals who have specifically given you consent to do so.

WOW, REALLY?
Yes, if they have not provided you with consent to receive correspondence you need to have a procedure in place to not do so. However, you may argue that you are processing their data for a ‘legitimate business interest’.

WHAT DOES THAT MEAN?There is no real definition here but, essentially, that for your business to continue, you need to process their data. For example, passing on a client’s personal data to a debt collecting agency if you need to recover old debts.

MY CLIENTS NEVER SAID THEY DIDN’T WANT TO RECEIVE INFORMATION FROM ME.
This is not enough. Did you explicitly ask permission to send them email marketing? Did they explicitly give you consent to do so? If not, then you cannot simply assume it will be acceptable. No longer will it be OK to assume you have their permission. Nor is it OK to hide this fact in your privacy policy. It is certainly no longer OK to have a pre-ticked opt-in box which individuals will need to untick. Those things are no longer allowed.

SO WHAT DO I DO NOW?
There are a number of things you need to do. Start getting consent now. Don’t wait for the deadline.
Any company or website forms (that are asking for personal data) need to be amended with the additional of a consent tick boxes (with the default setting being unticked). You need to add some text which explains that ‘by ticking this box you are providing us with consent to store and use your data’ or words like that. This needs to be clear. In addition, you need to give them a clear, explained link through to a page (namely your privacy policy page) that explains more about how you will handle their information.

THAT SOUNDS EASY ENOUGH. IS THAT IT?
Unfortunately not. There’s still more. You need to make it clear exactly what data you are collect, how you are storing it and how you would destroy it if asked.
You also need to start to record when they gave you consent to use (process) it. And you need to log exactly what they were shown when they opted in. If you receive an email confirmation when someone registers or checks out, that may be enough to comply with the regulations.

BUT WHAT ABOUT ALL THE COMPANIES I HAVE ALREADY GOT DATA FOR? DO I HAVE TO SCRAP THIS?
Well, here’s some good news (at last!). The GDPR regulations say that if there is another law that conflicts with it, then you should pay attention to the existing law. And, when it comes to email and telephone marketing, there is a legislation called PECR that takes priority.
PECR allows a thing called ‘soft opt-in’. PECR says that if you got someone’s information when they bought something or enquired about something, then its OK to send marketing correspondence to them about the same kind of thing they were interested. However, it is also good practice to ask them to opt in.

CAN I ARGUE THAT MARKETING MY COMPANY’S GOODS & SERVICES IS A LEGITIMATE BUSINESS INTEREST?If you want. In fact, article 47 of the regulations does say ‘the processing of personal data for direct mail purposes may be regarded as being carried out for a legitimate interest‘.
However, you will need to demonstrate that you are doing all you can to adhere to the rules. That you have processes in place for:
– retaining their data securely
– allowing them to view and edit the information you store
– ‘unsubscribing’
Claiming ‘legitimate business interest’ as a reason may not be good enough. We would suggest you should also put things in place to gain consent.

WHAT IF SOMEONE WANTS ME TO STOP MARKETING TO THEM?
This is important and you need to not only comply with their wishes but also to show you have a procedure in place for this within your privacy policy. People need to have the right to tell you to stop marketing to them. And, you must make it easy for them to opt-out of receiving future marketing.
From now on, you need to ensure all marketing emails tell people how to unsubscribe, preferably with a link to click. This link can go to an opt out landing page perhaps.
For printed mailers, these need to tell people what to do if they want to stop receiving future mailers. Perhaps a number to call, an address to email or a link to visit. Best not to wait ’til next May to do this but to put this onto the next mailer you send out.
Another thing you must do as part of the new regulations is to keep a ‘do not contact’ list. Once someone has opted out, its critical you stop sending stuff.

WHAT HAPPENS IF I DON’T?
Then your company may face stiff fines from the regulator.

HOW MUCH?
It’s alot! This can be up to €20,000,000 or 4% of global annual turnover, whichever is greater.

BUT, I AM A SMALL COMPANY. NO ONE WILL EVER KNOW, WILL THEY?
Perhaps, but we are simply telling you the law. No doubt the bigger companies will be targeted first but we just do not know.

WHO WILL MONITOR THIS?
We do not know. There may be a number of compliance agencies that are set up specifically to check every company. If this is the case then there will inevitably be a large number of fines. By making these changes now, you will protect yourself. And your bank balance.

WHAT HAPPENS WHEN THE UK COMES OUT OF THE EU?
GDPR is a EU directive so, once the UK is out of the EU, this regulation may no longer be required for some companies BUT….. if that company still holds data on EU individuals, then they will still need to comply.

WILL THIS REALLY REDUCE THE AMOUNT OF SPAM I RECEIVE?
Well, this is the goal. Spam accounts for up to 80% of incoming mail. Anything to reduce this is a good idea. So let’s hope so. However, one person’s spam is another person’s opportunity. If companies successfully argue that they are sending mailshots as part of a ‘legitimate business interest’, then it is down to the individual to state they do not give consent or request to be ‘unsubscribed’.

IS THIS TRUE FOR PRINTED MAILINGS TOO?
Yes, the law applies to all mailings that are sent to individuals. The sender may need to add instructions to the mailing regarding how that individual can opt out.

BUT I THOUGHT I NEEDED TO GIVE CONSENT…?Yes that is true. And this is where the confusion lies. The laws may not immediately stop you receiving non-consential mailings. But it should help reduce it.

WHAT ABOUT MAILINGS TO COMPANIES?
As far as we understand it, that is fine. Businesses can keep a list of company details and can market directly to these so long as no personal information is shown.

FINALLY, CAN DESIGN INC HELP US?
Yes, if we already manage your website, we can update all the forms accordingly, add new text and link through to the new privacy policy page. We can also update the auto-confirmation that you receive. Furthermore, we can set up an opt-in / opt-out landing page. Check our GDPR Process Map to see what you need to do. Then give us a call on 01784 410380 or by email